Techniques for replicating changes to access control lists on investigative analysis data

ABSTRACT

Techniques for replicating changes to access control lists on investigative analysis data are disclosed. After a change is made in a database to an access control list (ACL) governing access to a secured component of a data object, an exporting nexus sends an ACL change network message to an importing nexus. The ACL change message includes information that importing nexus can use to apply the ACL change to the importing database. Applying the ACL change message includes using the information in the ACL change message to determine which change records for which secured components of the data object in the importing database the ACL change should be applied to. By doing so, user access to all change records in the importing database to which the ACL change is applied is governed by the new ACL, thereby preventing unauthorized access to the change records, including historical change records.

FIELD

Computer-implemented techniques are disclosed which generally relate toreplication of database data, and more particularly tocomputer-implemented techniques for replicating changes to accesscontrol lists on investigative analysis data.

BACKGROUND

Making investigative decisions, especially those that have thepotentially to impact lives and communities, requires access toup-to-date and accurate investigative information. Unfortunately,investigative information is often spread across multiple databases,computers, geographies, and clearance levels. For investigativeorganizations such as intelligence, defense, and law enforcementorganizations to be successful, they need ways to share and findinformation quickly so that critical decisions can be made in time forthem to have impact.

One possible solution for sharing investigative data betweeninvestigative teams is to use a multimaster database system. In amultimaster database system, investigative data is stored in a group ofdatabases which may be geographically distributed and interconnected byone or more data networks. Data changes may be made to any database ofthe group. Data changes made to one database are propagated over a datanetwork by a software process to the rest of the group. Multimasterdatabase systems typically employ either a “synchronous” or an“asynchronous” replication scheme for propagating database changes.

In synchronous multimaster replication, each change is applied to alldatabases in the group immediately or to none of the databases if one ormore of the databases in the group cannot accept the change. Forexample, one of the databases may be offline or unavailable.

In contrast, in asynchronous multimaster replication, a change made to adatabase is immediately accepted by the database but propagation of thechange to other databases in the group may be deferred. Becausepropagation of changes may be deferred, if a database in the group isunavailable, the available databases can still accept changes, queuingthe changes locally until they can be propagated. For this reason,multimaster database systems employing an asynchronous replicationstrategy are considered to be more highly available than multimasterdatabase systems employing a synchronous replication strategy. However,since asynchronous replication raises the possibility of “concurrencyconflicts” that occur as a result of concurrent database changes tomultiple database databases of the group, multimaster database systemsemploying an asynchronous replication scheme are generally considered tobe more complex to design, maintain and operate than those employing asynchronous replication scheme. Despite the extra complexity,asynchronous replication is often preferred in the investigativeanalysis context where investigative analysis teams can be dispersedthroughout the world and connected to one another by unreliable networkconnectivity. Using an asynchronous replication scheme allows aninvestigative team to update investigative data in their local databaseeven if network connectivity is not currently available. When networkconnectivity becomes available, the team can share their updates withother teams and receive the other teams' updates made in the interim.

A concurrency conflict can occur in a multimaster system employing anasynchronous replication scheme when the same data is changed in twodatabases before either one of those data changes can be propagated tothe other. For example, assume that at database A, data representing aparticular person's eye color is changed to “brown”, and after that datachange but before that data change can be propagated to database B, dataat database B representing the same particular person's eye color ischanged to “green”. Without additional information, it is unclear whichdata change is the “correct” change that should be adopted by database Aand database B.

Typically, a multimaster system employing an asynchronous replicationscheme provides a mechanism for “deconflicting” concurrency conflicts.In many cases, deconflicting a concurrency conflict involves detectingand resolving the concurrency conflict such that the resolution ofconcurrency conflict is adopted at all databases in the group. In somecases, the multimaster system may be able to deconflict a concurrencyconflict automatically without requiring user intervention. In othercases, user intervention is required to decide which of the concurrentdata changes should be adopted as the “correct” data change.

One possible approach for detecting concurrency conflicts in amultimaster system employing asynchronous replication is through the useof version vectors (sometimes referred to as vector clocks). A versionvector is a mechanism for ordering changes to database data that worksby tracking “causality” relationships between changes. In particular,version vectors allow the system to determine if one change “happenedbefore”, “happened after”, or “happened concurrently with” anotherchange, even if the two changes were made to different databases atdifferent times. Further information on using version vectors to trackcausality relationships between database changes in a multimasterdatabase system is available on the Internet at wiki/Version_vector inthe en.wikipedia.org domain, the entire contents of which is herebyincorporated by reference.

“Revisioning” adds an additional layer of complexity to multimasterasynchronous replication on top of the complexity of detectingconcurrency conflicts. In particular, “revisioning” databases in thereplication group may each maintain an online history of databasechanges. Maintaining a historical record of changes as opposed to justthe latest changes is useful in the investigative analysis contextbecause it allows investigators to determine “what was known when”,where the “when” can be a point in time in the past. For example, arevisioning database may store two change records CR1 and CR2 for asuspect of a criminal investigation where initially it was thought thesuspect is residing in Los Angeles, Calif., USA as indicated by changerecord CR1 but it is now thought that the suspect resides in Sacramento,Calif., USA as indicated by change record CR2. When replicating a changeto a revisioning database to another revisioning database, it may bedesirable that the history of changes exist in both databases after thereplication has occurred. For example, if the “current possiblelocation” property of the criminal suspect is changed in revisioningdatabase D1 from “Los Angeles, Calif., USA” to “Sacramento, Calif., USA”and that change is replicated to revisioning database D2, it may bedesirable that the change records C1 and C2 CR1 and CR2 for the suspectin revisioning database D2 indicate that the prior value for theproperty was “Los Angeles, Calif., USA” and the current value for theproperty is “Sacramento, Calif., USA” respectively.

Access control adds yet another layer of complexity to multimasterasynchronous replication. In particular, change records in a revisioningdatabase can be associated with an access control list that governsaccess to the change records. Such access may include reading the changerecords. For example, an access control list ACL1 associated with thechange records CR1 and CR2 for the criminal suspect in revisioningdatabase D1 may specify that both user Alice and user Bob currently haveread access to the change records C1 and C2 CR1 and CR2. Thus, bothAlice and Bob can determine from the change records C1 and C2 CR1 andCR2 in database D1 that the prior value for the “current possiblelocation” property was “Los Angeles, Calif., USA” and the current valuefor the property is “Sacramento, Calif., USA”. If an access control listassociated with a set of change records is changed in one database andthat change is replicated to another database, it may be desirable forsecurity purposes that the access control list resulting from the changeapply to all change records, including historical ones, in the otherdatabase. For example, if the access control list ACL1 is changed indatabase D1 to remove Bob and that change is replicated to database D2,it may be desirable, for security purposes, that after the change isapplied to database D2, user Bob can no longer read change records C1 orC2 CR1 or CR2 in database D2.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart of a software-implemented process performed by anexporting nexus according to an embodiment of the present invention.

FIG. 2 is a flowchart of a software-implemented process performed by animporting nexus according to an embodiment of the present invention.

FIG. 3 is a block diagram illustrating an object-centric data modelaccording to an embodiment of the present invention.

FIG. 4 is a block diagram illustrating an example access control listaccording to an embodiment of the invention.

FIG. 5 is a block diagram illustrating an example revisioning databasetable storing change records according to an embodiment of theinvention.

FIG. 6 is a block diagram illustrating a computer system on whichembodiments of the invention may be implemented.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present invention. It will be apparent, however,that the present invention may be practiced without these specificdetails. In other instances, well-known structures and devices are shownin block diagram form in order to avoid unnecessarily obscuring thepresent invention.

Overview

Techniques for replicating changes to access control lists oninvestigative analysis data are disclosed. In some embodiments, after achange is made in a database to an access control list (hereinafter just“ACL”) governing access to a secured component of a data object, an“exporting nexus” sends an ACL change network message (hereinafter just“ACL change message”) to an “importing nexus”. For example, theexporting nexus may send the ACL change message to the importing nexusas part of an asynchronous data replication process. The term “nexus” ismore formally defined below but generally refers to software or othercomputer-executable logic that operates on a database, for example, aspart of database management software or an application thereof. For sakeof clarity, the database that the exporting nexus operates on and fromwhich the change to the ACL is exported as the ACL change message isreferred to hereinafter as the “exporting database” and the databasethat the importing nexus operates on and to which the ACL change messageis applied to is referred to hereinafter as the “importing database”.

The ACL change message includes information that the importing nexus canuse to apply the ACL change to the importing database. Applying the ACLchange message includes using the information in the ACL change messageto determine which secured components of the data object in theimporting database that the ACL change should be applied to. The terms“data object” and “secured component” are defined in greater detailbelow. However, a data object generally refers to data that represents athing in the real word such as a person, place, or event and a securedcomponent represents data associated with a data object and to whichaccess is governed by an access control list. Examples of a securedcomponent include a property (e.g., a person's hair color) of a dataobject, a note (e.g., a piece of text) associated with a data object,and a piece of media (e.g., video or audio) associated with a dataobject.

The exporting database and the importing database can be revisioningdatabases. That is, both databases may maintain histories of changes tosecured components in the form of change records for each of the securedcomponents. As mentioned, applying the ACL change message includes usingthe information in the ACL change message to determine which securedcomponents of the data object in the importing database the ACL changeshould be applied to. This applying includes using the information inthe ACL change message to determine which change records for whichsecured components of the data object in the importing database the ACLchange should be applied to. By doing so, user access to all changerecords in the importing database to which the ACL change is applied isgoverned by the new ACL, thereby preventing unauthorized access to thechange records, including historical change records.

Nexus

Computer databases are a common mechanism for storing information oncomputer systems at replication sites while providing access to thestored information to users. A typical database is an organizedcollection of information stored as “objects” or “records” having“properties” or “fields”. As an example, a database of criminal suspectsmay have an object for each suspect where each object containsproperties designating specifics about the suspect, such as eye color,hair color, height, sex, etc.

Operating on the actual database itself (i.e., the organized informationactually stored on a storage device) there is typically a software-baseddatabase management system or DBMS that, among other operations,processes requests from users for access to information in the database.Users may interact indirectly with the DBMS through a databaseapplication that in turn interacts directly with the DBMS to providehigh level database operations to users, such as analyzing, integrating,and visualizing database information. However, the distinction betweenDBMS and database application is not clear cut and functionalityprovided by one may be provided by the other. Consequently, in thisdescription, the term “nexus” is used to refer broadly to any softwarethat operates directly or indirectly on the actual database itself. Anexus may include a DBMS, a database application or applications, orcomponents thereof.

Exporting Nexus Process

FIG. 1 is a flowchart 100 of a software-implemented process performed byan exporting nexus according to an embodiment of the present invention.For example, the process may be performed after an ACL associated with asecured component of a data object has been changed in the exportingdatabase. The ACL change may be made by a user or a computing process.The ACL change may involve creating a new ACL for the secured componentor modifying an existing ACL for the secured component. The process maybe performed by the exporting nexus to inform an importing nexus aboutthe ACL change so that the importing nexus can appropriately apply theACL change to the importing database.

The exporting nexus process generally involves collecting informationpertaining to the ACL change from the exporting database and sending theinformation in an ACL change message to the importing nexus. Theinformation collected is information that the importing nexus can use toidentify which change records in the importing database to apply the ACLchange to. The process does not require the importing database and theexporting database to have corresponding identifiers or externalidentifiers for change records or secured components. Thus, theimporting database and the exporting database may use different internalidentifiers for change records and secured components. In other words,the internal identifiers are not required to have inherentcorrespondence between the databases.

While steps of the exporting nexus process are depicted and described asbeing performed in a certain order, some or all of the steps areperformed in a different order and/or performed concurrently with oneanother in other embodiments.

At step 102, the current value and one or more historical values of thesecured component are obtained from the change records in the exportingdatabase for the secured component. In some embodiments, all availablehistorical values of the secured component are obtained from theexporting database.

At step 104, the current ACL and one or more historical ACLs associatedwith the secured component are obtained from the exporting database. Insome embodiments, all available historical ACLs associated with thesecured component are obtained from the exporting database. Over time,the ACL associated with a secured component may change more frequentlythan the value of the secured component. Thus, there may be morehistorical ACLs obtained at step 104 then historical values obtained atstep 102. Similarly, over time, the value of the secured component maychange more frequently that than the ACL associated with the securedcomponent. Thus, there may be more historical values obtained at step102 than historical ACLs obtained at step 104.

At optional step 106, the current component type of the securedcomponent and one or more historical component types of the securedcomponent are obtained from the exporting database. Over time, thecomponent type associated with a secured component may change morefrequently than the value of the secured component. Thus, there may bemore historical component types obtained at optional step 106 then thanhistorical values obtained at step 102. Similarly, over time, the valueof the secured component may change more frequently that than thecomponent type of the secured component. Thus, there may be morehistorical values obtained at step 102 than historical component typesobtained at step 106. In some embodiments, a component type is expressedin the form of a Uniform Resource Indicator (URI). A component type URImay identify the data type of the secured component according to a datatype ontology used by the exporting nexus. A component type URI may beused for value transformations if the exporting nexus and the importingnexus support cross-ontology replication. Further information on usingcomponent type URIs for cross-ontology multimaster replication can befound in related U.S. patent application Ser. No. 13/076,804, entitled“Cross-Ontology Multi-Master Replication”, and filed Mar. 31, 2011, theentire contents of which is hereby incorporated by reference as if fullyset for herein.

At optional step 108, global identifiers of data sources for the securedcomponent are obtained from the exporting database. A “data source” is asingle source of data for a secured component. For example, a datasource can be a person who manually enters the secured component data ora document, spreadsheet, database, or other digital information fromwhich the secured component data was extracted, parsed, or derived from.A secured component can have multiple data sources. The globalidentifiers of the data source may be meaningful to both the exportingnexus and the importing nexus. That is, the global data sourceidentifiers may unambiguously identify data source records in both theexporting system and in the importing system. Such data source recordsmay be associated in the importing system with their own ACLs separatefrom the ACLs associated with secured components.

In some embodiments, the importing nexus uses the global data sourceidentifiers to identify data source ACLs in the importing database towhich ACL change should be applied. In some embodiments, in addition toobtaining global identifiers of data sources for the secured componentfrom the exporting database, addition additional information about howthe secured component data was obtained from the data sources is alsoobtained from the exporting database. For example, the additionalinformation may include a page number or index of a document from whichthe secured component data was obtained, if the secured component is adocument type, or a video frame number from which secured componentvideo data was obtained, if the secured component is a video type. Theadditional information can be used to prevent false positive matcheswhen importing the ACL change into the importing database.

At step 110, the information collected in steps 102, 104, 106 (ifperformed), and 108 (if performed) is sent to the importing nexus over adata network in an ACL change message. The ACL change message may besent as part of a periodic asynchronous replication process performed bythe exporting nexus. The exporting nexus may perform the replicationprocess to inform the importing nexus of changes, including ACL changes,to the exporting database that have occurred since the exporting nexuslast performed the replication process with the importing nexus. In someembodiments, the ACL change message and the information containedtherein is formatted according to the eXtensible Markup Language (XML).However, other data encoding formats or other markup language formatsmay be used. For example, the ACL change message can be formatted with aprotocol buffer. Further information on protocol buffers can be found onthe Internet at wiki/Protocol_Buffers in the en.wikipedia.org domain,the entire contents of which is hereby incorporated by reference.

Importing Nexus Process

FIG. 2 is a flowchart 200 of a software-implemented process performed byan importing nexus according to an embodiment of the present invention.The process may be performed by the importing nexus after the exportingnexus has sent an ACL change message to it, the ACL change messagepertaining to an update to an ACL on a secured component in theexporting database. For purposes of providing clear examples, thesecured component in the exporting database to which the ACL changemessage pertains is referred to in this section as the “exported”secured component and the data object that the exported securedcomponent is a part of or associated with is referred to in this sectionas the “target” data object (or target data objects). Recall thatsecured components and associated change records in the exportingdatabase and the importing database may not have correspondingidentifiers. That is, it may not be possible to determine solely fromthe identifier of a secured component in one of the databases whichsecured component in the other database corresponds to it. Each of theexporting database and the importing database may use internalnon-corresponding identifiers for identifying secured components so thatassignment of identifiers to secured component does not requirecoordination between nexuses and so that the internal identifiers arenot required to have a minimum data (byte) length to ensure uniquenessacross the databases.

While steps of the importing nexus process are depicted and described asbeing performed in a certain order, some or all of the steps areperformed in a different order and/or performed concurrently with oneanother in other embodiments.

At step 202, the importing nexus receives the ACL change network messagesent to it by the exporting nexus. In some embodiments, the received ACLchange network message contains a global identifier of the target dataobject.

The ACL change messages contains a set of values of the exported securedcomponent including a current value and one or more historical values ofthe exported secured component (“exported values”). The exported valuesmay be ordered or arranged by age with the current value being first (orlast) in the order and the oldest value in the set of exported valuesbeing last (or first) in the order.

The ACL change message also contains a set of ACLs associated with theexported secured component including a current ACL and one or morehistorical ACLs associated with the exported secured component(“exported ACLs”). The exported ACLs may be ordered or arranged by agewith the current ACL being first (or last) in the order and the oldestACL in the set of exported ACLs being last (or first) in the order.

The ACL change message may also contain a set of component typesassociated with the exported secured component including a currentcomponent type and one or more historical component types associatedwith the exported secured component (“exported component types”). Theexported component types may be ordered or arranged by age with thecurrent component type being first (or last) in the order and the oldestcomponent type in the set of exported component types being last (orfirst) in the order.

The ACL change message may also contain a set of data source identifiersassociated with the exported secured component (“exported data sourceidentifiers”).

At step 204, the importing nexus obtains, from the importing database,all values, current and historical, for all secured components of thetarget data object in the importing database (“candidate values”).

At step 206, the importing nexus obtains, from the importing database,all ACLs current and historical, associated with all secured componentsof the target data object in the importing database (“candidate ACLs”).

At optional step 208, the importing nexus obtains, from the importingdatabase, all component types, current and historical, of all securedcomponents of the target data object in the importing database(“candidate component types”).

At step 210, the target secured component from all secured components ofthe target data object in the importing database is identified in theimporting database. Generally, this identification process proceeds byiterating over all secured components of the target data object in theimporting database one-by-one until the target secured component isidentified (at which point the remaining secured components need not beiterated over because the target data object has been identified). Foreach secured component iterated over, a comparison is performed. Thecomparison involves comparing the exported values to the candidatevalues of the current secured component. If there is a match, then thecomparison further involves comparing the exported ACLs to the candidateACLs of the current secured component. If there is still a match, thenthe current secured component may be identified as the target securedcomponent. In some embodiments, the current secured component is notidentified as the target secured component unless also there is a matchbetween the exported component types and the candidate component typesof the current secured component.

At step 212, the ACLs, current and historical, associated with targetsecured component in the importing database are updated in the importingdatabase. This updating may include replacing, in the importingdatabase, all of the ACLs, current and historical, associated with thetarget secured component in the importing database with the current ACLfrom the exported ACLs. By doing so, all values, current and historical,of the target secured component in the importing database are protectedin the importing database by the current ACL from the exported ACLs.

At optional step 214, if the ACL change message contains the exporteddata source identifiers, then all ACLs in the importing databaseassociated with the identified data source records are replaced with thecurrent ACL from the exported ACLs. By doing so, all of the identifieddata source records are also protected in the importing database by thecurrent ACL from the exported ACLs.

Object-Centric Data Model

Investigative analysis data stored in the exporting database or theimporting database may be conceptually stored and organized according toan object-centric data model. FIG. 3 illustrates an object-centricconceptual data model 300. Model 300 is centered on the notion of a dataobject 310. It should be noted that the particulars of the data model300 are not to be confused with the particulars of how the investigativeanalysis data is stored in the exporting database or the importingdatabase which may be varied and depend on the type of the databaseaccording to the requirements of the particular implementation at hand.For example, if the importing database and the exporting database arerelational databases, then data organized according to data model 300may be stored in the exporting database and the importing database asone or more rows of one or more database tables.

At the highest level of abstraction, a data object 310 is a containerfor information representing things in the world. For example, a dataobject 310 can represent an entity such as a person, a place, anorganization, or other noun. A data object 310 can represent an eventthat happens at a point in time or for a period of time. A data object310 can represent a document or other unstructured data source such asan e-mail message, a news report, or a written paper or article. Theseare just some example examples of what a data object 310 can represent.A data object 310 may be associated with a unique identifier thatuniquely identifies the data object within the exporting database andthe importing database. A data object 310 may also have a type (e.g.,Person, Event, or Document) and a display name which may be the value ofa particular property of the data object 310.

A data object 310 can have or be associated with a number of securedcomponents including one or more properties 312, one or more links 314,a linkset 316, a note 318, and media 320.

A property 312 may have a type, name, and a value. Different types ofdata objects 310 may have different types of properties 312. Forexample, a Person data object 310 might have an Eye Color property 312and an Event data object 310 might have a Date property 312. In someembodiments, the set of data object types and the set of property typesfor each type of data object 310 supported by the exporting database andthe importing database are defined according to a pre-defined,user-defined, or dynamically-defined ontology or other hierarchicalstructuring of knowledge through sub-categorization of object types andproperty types according to their relevant and/or cognitive qualities.In some embodiments, the importing database and the exporting databaseuse different ontologies and replication between the exporting nexus andthe importing nexus is accomplished across the differing ontologies. Forexample, such cross-ontology multi-master replication may beaccomplished using the techniques described in related U.S. patentapplication Ser. No. 13/076,804, entitled “Cross-Ontology Multi-MasterReplication”, and filed Mar. 31, 2011, the entire contents of which ishereby incorporated by reference as if fully set for forth herein. Insome embodiments, data model 300 supports property multiplicity. Inparticular, a data object 310 may be allowed to have more than oneproperty 312 of the same type. For example, a Person data object 310might have multiple Address properties 312 or multiple Name properties312.

A link 314 represents a connection between two data objects 310. In someembodiments, the connection is either through a relationship, an event,or through matching properties 312. A relationship connection may beasymmetrical or symmetrical. For example, Person data object A 310 maybe connected to Person data object B 310 by a Child Of relationship(where Person data object B 310 has an asymmetric Parent Of relationshipto Person data object A 310), a Kin Of symmetric relationship to Persondata object C 310, and an asymmetric Member Of relationship toOrganization data object X 310. The type of relationship between twodata objects 310 may vary depending on the types of the data objects310. For example, Person data object A 310 may have an Appear Inrelationship with Document data object Y 310 or have a Participate Inrelationship with Event data object E 310. As an example of an eventconnection, two Person data objects 310 may be connected by an AirlineFlight data object 310 representing a particular airline flight if theytraveled together on that flight, or by a Meeting data object 310representing a particular meeting if they both attended that meeting. Insome embodiments, when two data objects 310 are connected by an event,they are also connected by relationships, in which each data object 310has a specific relationship to the event, such as, for example, anAppears In relationship. As an example of a matching properties 312connection, two Person data objects 310 representing a brother and asister, may both have an Address property 312 that indicates where theylive. If the brother and the sister live in the same home, then theirAddress properties 312 likely contain similar, if not identicalinformation. In some embodiments, a link 214 between two data objects310 may be established based on similar or matching properties 312 ofthe data objects 310. The above are just some examples of the types ofconnections that may be represented by a link 314 and other types ofconnections may be represented. Thus, it should be understood thatembodiments of the invention are not limited to any particular types ofconnections between data objects 310. For example, a document mightcontain two different tagged entities. A link 314 between two dataobjects 310 may represent a connection between these two entitiesthrough their co-occurrence within the same document.

A data object 310 can have multiple links 314 with another data object310 to form a link set 316. For example, two Person data objects 310representing a husband and a wife could be linked through a Spouse Ofrelationship, a matching property (Address) 312, and an event (Wedding).

A note 318 is a piece of text associated with a data object 310. Forexample, a note 318 may be free-form text entered by an investigatorthat is associated with a data object 310.

Media 320 is arbitrary binary data such as an image, a video, or audioassociated with a data object 310.

Each secured component may be associated with a data source 322.Specifically, each property 312, each media 320, each note 318, and eachlink 314 in the exporting database and the importing database may beassociated with a data source 322 through a data source record. A datasource 322 is the source of the data of the associated securedcomponent. Example data sources 322 include user entered data, adocument, and a database.

Access Control List

FIG. 4 is a block diagram illustrating an example access control list(ACL) 400 according to an embodiment of the invention. ACL 400 may beassociated with a secured component of a data object in the exportingdatabase or the importing database. The exporting database and theimporting database may store change records for an ACL 400 as well asstoring change records for the secured component the ACL 400 isassociated with. By doing so, the current ACL 400 for a securedcomponent can be determined as well as previous versions of the ACL 400associated with the secured component. In some embodiments, a datasource 322 is also associated with its own ACL 400 separate from theACLs 400 associated with the secured components that are associated withthe data source 322.

In some embodiments, an ACL 400 may include a set of zero or more accesscontrol items (ACI) 420 and zero or one classification 430. Typically,an ACL 400 will include at least one ACI 420 or a classification 430 orinclude at least one ACI 420 and a classification 130.

Each ACI 420 specifies a group 421 and a permission 422 of that group421. A group 121 may also be referred to a role. The group 421 of an ACI420 identifies a set of users. The permission 422 of the ACI 420identifies an operation a user in the group can perform on theassociated secured component or an operation the user can perform on theACL 400. Non-limiting examples of a permission 422 include read, write,owner, create, delete, etc.

According to some embodiments, if an ACL 400 has a classification 430,then a user must be authorized for each and every classification markingin the set of classification markings of the classification 430 to haveany access to the associated secured component or the ACL 400. Thus, theclassification 430 overrides any permission 422 granted to the user thatwould otherwise allow the user to access the associated securedcomponent or the ACL 400.

A classification marking is data associated with sensitive informationin a database that indicates a necessary classification marking a usermust be authorized for in order to access the sensitive information. Thepossible classification markings are typically specific to a particularclassification scheme and may be hierarchical according to authorizationlevel. For example, one classification scheme may have as the highestclassification marking, Top Secret (TS), followed by Secret (S),followed by Confidential (C), followed by Restricted (R), and finallyUnclassified (U). A user authorized for classification marking Secret(S) can access sensitive information with a classification marking ofSecret (S), Confidential (C), Restricted (R), or Unclassified (U) butnot Top Secret (TS). The foregoing classification markings are NOTIONALONLY and provided solely for example purposes.

Revisioning Database

The exporting nexus and the importing nexus may use or implement arevisioning database system for tracking changes made to investigativeanalysis data stored in the exporting database and the importingdatabase respectively. Thus, the exporting database and the importingdatabase may each be considered to be a revisioning database. In someembodiments, the revisioning database system is implemented as anapplication on top of a conventional database management system (notshown). For example, the database management system may be a relationaldatabase management system such as those commercially available from theOracle Corporation of Redwood Shores, Calif. and the MicrosoftCorporation of Redmond, Wash.

In one aspect, the revisioning database system differs from other typesof database systems in that the revisioning database system is capableof answering a query about the state of investigative analysis datastored in a revisioning database at a point in time in the past asopposed to only being able to answer a query about the current state ofthe investigative analysis data. With the revisioning database system,investigative analysts can determine when a particular piece of data wasadded or edited in a revisioning database. Thus, the revisioningdatabase system, as a result of its capability to track changes toinvestigative analysis data stored in a revisioning database, enablesinvestigative analysts to determine what was known when.

In some embodiments, revisioning database system is capable of trackingall changes made to investigative analysis data over a period of time.To do so, the revisioning database system creates a new database changerecord in a revisioning database for every creation, edit, or deletionof a secured component (e.g., a property 312, a link 314, a note 318,and media 320), an ACL 400, and a data source 322. To track the orderingof the changes, the revisioning database system employs an alwaysincreasing logical clock that models all of the changes as a linearsequence of database events. The logical clock provides a total orderingfor all changes. In addition, the logical clock provides atomicity forchanges as multiple changes can occur at the same point in the linearsequence of database events represented by the logical clock (and hencebe associated with the same logical clock value).

FIG. 5 is a block diagram a illustrating an example database table 500in a revisioning database for tracking changes made data objects 310according to an embodiment of the invention. Separate similar oranalogous database tables may be used for tracking changes to properties312, links 314, notes 318, media 320, ACLs 400, and data sources 322.Generally, a change record indicates the change operation performed(e.g., create, edit, or delete), the secured components, ACL, or datasource that was changed, and data representing the result of the change(e.g., the value created, edited, or deleted).

For example, each change record 518, 520, 522, 524, and 526 in table 500represents a creation, edit, or deletion of a data object 310 or acreation, edit, or deletion of a property 312 of a data object 310. Thefields of each change record include a ‘obj_comp_id’ field identifyingthe data object 310 or property 312 that was created, edited, or deletedby the change, an ‘obj_id’ field identifying the data object 310 thatwas created, edited, or deleted by the change, a ‘logical_clk’ fieldthat identifies the order of the change in a total ordering of allchanges made to the revisioning database containing table 500, a‘deleted’ field indicating whether the change was a deletion of a dataobject 310 or a property 312, and a ‘<values’> field indicating, forchanges that create or edit a value, the value that resulted from thechange or, for changes that delete a value, the value that was deleted.

For example, referring to FIG. 5, at logical clock event 1, a dataobject 310 of type “Person” was created. Also at logical clock event 1,a “Name” property 312 of the Person data object 310 was created andgiven the value “John Smith”. Later, at logical clock event 2, a “Phone#” property 312 of the object was created and given the value“415-222-1234”. At logical clock event 3, the “Name” property 312 of thePerson data object 310 that was created at logical clock event 2 wasedited with the value “Jonathan Smith”. At logical clock event 4, the“Phone #” property 312 that was created at logical clock event 3 wasdeleted. As a result of the changes at logical clock events 1, 2, and 3,the state of the object at logical clock event 4 is an object 310 oftype “Person” with the property “Name” 312 having a value “JonathanSmith”.

By preserving all changes made to an object 310 in the form of changerecords, the revisioning database system is able to provide the state ofan object 310 at a point in time in the past. For example, referringagain to FIG. 5, it can be seen from change records 518, 520, and 522that the state of the object with obj_id=10 at logical clock event 2 wasan a data object 310 of type “Person” with a property “Name” 312 havinga value “John Smith” and a property “Phone#” 312 having a value“415-222-1234”.

Note that while table 500 contains change records for only one dataobject 310 with an identifier of 10, table 310 could contain changerecords for multiple data objects.

FIG. 5 illustrates but one example scheme that the revisioning databasesystem could employ to track changes to a revisioning database. However,the invention should not be construed as being limited to only the oneexample scheme or be construed as requiring all details of the oneexample scheme. For example, instead of storing change records for alldata objects 310 in a single table as depicted in FIG. 5, the changerecords might be stored across multiple tables. Further, the changerecords may contain other fields that are not depicted in FIG. 5. Forexample, each change record may have an additional version field thatserves as a single primary key for the change record as opposed to usinga combination of the ‘obj_comp_id’ and the ‘logical_clk’fields as theprimary key.

Example Implementing Mechanism

According to one embodiment, the techniques described herein areimplemented by one or more special-purpose computing devices. Thespecial-purpose computing devices may be hard-wired to perform thetechniques, or may include digital electronic devices such as one ormore application-specific integrated circuits (ASICs) or fieldprogrammable gate arrays (FPGAs) that are persistently programmed toperform the techniques, or may include one or more general purposehardware processors programmed to perform the techniques pursuant toprogram instructions in firmware, memory, other storage, or acombination. Such special-purpose computing devices may also combinecustom hard-wired logic, ASICs, or FPGAs with custom programming toaccomplish the techniques. The special-purpose computing devices may bedesktop computer systems, portable computer systems, handheld devices,networking devices or any other device that incorporates hard-wiredand/or program logic to implement the techniques.

For example, FIG. 6 illustrates a computer system upon which one or moreembodiments may be implemented. Computer system 600 includes a bus 602or other communication mechanism for communicating information, and ahardware processor 604 coupled with bus 602 for processing information.Hardware processor 604 may be, for example, a general purposemicroprocessor.

Computer system 600 also includes a main memory 606, such as a randomaccess memory (RAM) or other dynamic storage device, coupled to bus 602for storing information and instructions to be executed by processor604. Main memory 606 also may be used for storing temporary variables orother intermediate information during execution of instructions to beexecuted by processor 604. Such instructions, when stored innon-transitory storage media accessible to processor 604, rendercomputer system 600 into a special-purpose machine that is customized toperform the operations specified in the instructions.

Computer system 600 further includes a read only memory (ROM) 608 orother static storage device coupled to bus 602 for storing staticinformation and instructions for processor 604. A storage device 610,such as a magnetic disk, optical disk, or solid-state drive is providedand coupled to bus 602 for storing information and instructions.

Computer system 600 may be coupled via bus 602 to a display 612, such asa cathode ray tube (CRT), for displaying information to a computer user.An input device 614, including alphanumeric and other keys, is coupledto bus 602 for communicating information and command selections toprocessor 604. Another type of user input device is cursor control 616,such as a mouse, a trackball, or cursor direction keys for communicatingdirection information and command selections to processor 604 and forcontrolling cursor movement on display 612. This input device typicallyhas two degrees of freedom in two axes, a first axis (e.g., x) and asecond axis (e.g., y), that allows the device to specify positions in aplane.

Computer system 600 may implement the techniques described herein usingcustomized hard-wired logic, one or more ASICs or FPGAs, firmware and/orprogram logic which in combination with the computer system causes orprograms computer system 600 to be a special-purpose machine. Accordingto one embodiment, the techniques herein are performed by computersystem 600 in response to processor 604 executing one or more sequencesof one or more instructions contained in main memory 606. Suchinstructions may be read into main memory 606 from another storagemedium, such as storage device 610. Execution of the sequences ofinstructions contained in main memory 606 causes processor 604 toperform the process steps described herein. In alternative embodiments,hard-wired circuitry may be used in place of or in combination withsoftware instructions.

The term “storage media” as used herein refers to any non-transitorymedia that store data and/or instructions that cause a machine tooperate in a specific fashion. Such storage media may comprisenon-volatile media and/or volatile media. Non-volatile media includes,for example, optical disks, magnetic disks, or solid-state drives, suchas storage device 610. Volatile media includes dynamic memory, such asmain memory 606. Common forms of storage media include, for example, afloppy disk, a flexible disk, hard disk, solid-state drive, magnetictape, or any other magnetic data storage medium, a CD-ROM, any otheroptical data storage medium, any physical medium with patterns of holes,a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip orcartridge.

Storage media is distinct from but may be used in conjunction withtransmission media. Transmission media participates in transferringinformation between storage media. For example, transmission mediaincludes coaxial cables, copper wire and fiber optics, including thewires that comprise bus 602. Transmission media can also take the formof acoustic or light waves, such as those generated during radio-waveand infra-red data communications.

Various forms of media may be involved in carrying one or more sequencesof one or more instructions to processor 604 for execution. For example,the instructions may initially be carried on a magnetic disk orsolid-state drive of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 600 canreceive the data on the telephone line and use an infra-red transmitterto convert the data to an infra-red signal. An infra-red detector canreceive the data carried in the infra-red signal and appropriatecircuitry can place the data on bus 602. Bus 602 carries the data tomain memory 606, from which processor 604 retrieves and executes theinstructions. The instructions received by main memory 606 mayoptionally be stored on storage device 610 either before or afterexecution by processor 604.

Computer system 600 also includes a communication interface 618 coupledto bus 602. Communication interface 618 provides a two-way datacommunication coupling to a network link 620 that is connected to alocal network 622. For example, communication interface 618 may be anintegrated services digital network (ISDN) card, cable modem, satellitemodem, or a modem to provide a data communication connection to acorresponding type of telephone line. As another example, communicationinterface 618 may be a local area network (LAN) card to provide a datacommunication connection to a compatible LAN. Wireless links may also beimplemented. In any such implementation, communication interface 618sends and receives electrical, electromagnetic or optical signals thatcarry digital data streams representing various types of information.

Network link 620 typically provides data communication through one ormore networks to other data devices. For example, network link 620 mayprovide a connection through local network 622 to a host computer 624 orto data equipment operated by an Internet Service Provider (ISP) 626.ISP 626 in turn provides data communication services through the worldwide packet data communication network now commonly referred to as the“Internet” 628. Local network 622 and Internet 628 both use electrical,electromagnetic or optical signals that carry digital data streams. Thesignals through the various networks and the signals on network link 620and through communication interface 618, which carry the digital data toand from computer system 600, are example forms of transmission media.

Computer system 600 can send messages and receive data, includingprogram code, through the network(s), network link 620 and communicationinterface 618. In the Internet example, a server 630 might transmit arequested code for an application program through Internet 628, ISP 626,local network 622 and communication interface 618.

The received code may be executed by processor 604 as it is received,and/or stored in storage device 610, or other non-volatile storage forlater execution.

Extensions and Alternatives

In the foregoing specification, embodiments of the invention have beendescribed with reference to numerous specific details that may vary fromimplementation to implementation. The specification and drawings are,accordingly, to be regarded in an illustrative rather than a restrictivesense. The sole and exclusive indicator of the scope of the invention,and what is intended by the applicants to be the scope of the invention,is the literal and equivalent scope of the set of claims that issue fromthis application, in the specific form in which such claims issue,including any subsequent correction.

The invention claimed is:
 1. A multimaster system for asynchronousreplication among databases, comprising: one or more computing devicesconfigured to execute a first nexus that operates on a first database;one or more computing devices configured to execute a second nexus thatoperates on a second database; the first nexus configured: comprisingone or more processors and storage media storing first instructionswhich when executed cause the one or more procesors: to store firstvalue data in the a first database, the first value data comprising acurrent value and one or more historical values of a first securedcomponent of a data object, the first secured component associated inthe first database with a first secured component identifier, the dataobject associated in the first database with a data object identifier;to store first access control list data in the first database, the firstaccess control list data comprising a current access control list andone or more historical access control lists governing, with respect tothe first database, access to the current value and the one or morehistorical values of the first secured component; and to send one ormore network messages to the second nexus, the one or more networkmessages comprising the data object identifier, the first value data,and the first access control list data; the second nexus configuredoneor more computing devices comprising one or more processors and storagemedia storing second instructions which when executed cause the one ormore processors: to store second value data in the a second database,the second value data comprising a current value and one or morehistorical values of a second secured component of the data object, thesecond secured component associated in the second database with a secondsecured component identifier that is different than the first securedcomponent identifier, the data object associated in the second databasewith the data object identifier, a change made to the first database tobe propagated to the second database; to store second access controllist data in the second database, the second access control list datacomprising a current access control list and one or more historicalaccess control lists governing, with respect to the second database,access to the current value and the one or more historical values of thesecond secured component; to receive the one or more network messagesrelated to a change in the first access control list data; to comparethe first value data to the second value data; to compare the firstaccess control list data to the second access control list data; andresponsive to determining that the first value data matches the secondvalue data and the first access control list data matches the secondaccess control list data, to identify the second secured component asbeing associated with the first secured component and to replace, in thesecond database, each of the current access control list and the one ormore historical access control lists in the second access control listdata with the current access control list from the first access controllist data.
 2. The system of claim 1, wherein change records for thefirst secured component are identified in the first database using afirst identifier, wherein change records for the second securedcomponent are identified in the second database using a secondidentifier, wherein the first identifier cannot be used to identify, inthe second database, change records for the second secured component,and wherein the second identifier cannot be used to identify, in thefirst database, change records for the first secured component.
 3. Thesystem of claim 1: wherein the first nexus is instructions when executedfurther configured cause the one or more processors: to store firstcomponent type data in the first database, the first component type datacomprising a current component type and one or more historical componenttypes of the first secured component; and to send one or more networkmessages to the second nexus, the one or more network messagescomprising an identifier of the data object, the first value data, thefirst access control list data, and the first component type data;wherein the second nexus is instructions when executed furtherconfigured cause the one or more processors: to store second componenttype data in the second database, the second component type datacomprising a current component type and one or more historical componenttypes of the second secured component; to compare the first componenttype data with the second component type data; and responsive todetermining that the first value data matches the second value data, thefirst access control list data matches the second access control listdata, and the first component type data matches the second componenttype data, to replace, in the second access control list data in thesecond database, each of the current access control list and the one ormore historical access control lists in the second access control listdata with the current access control list from the first access controllist data.
 4. The system of claim 1, wherein the first secured componentand the second secured component are both properties of the data object,the first secured component and the second secured component having thesame property name.
 5. The system of claim 1, wherein each accesscontrol list in the first access control list data comprises one or moreaccess control items, each access control item comprising a user or agroup of users and one or more permissions of the user or the group ofusers with respect to the first secured component, and wherein eachaccess control list in the second access control list data comprises oneor more access control items, each access control item comprising a useror a group of users and one or more permissions of the user or the groupof users with respect to the second secured component.
 6. The system ofclaim 1, wherein the first secured component is a property, a note, ormedia, and wherein the second secured component is a property, a note,or media.
 7. The system of claim 1, wherein the first nexus isconfigured instructions when executed further cause the one or moreprocessors to store the first value data in one or more first changerecords in the first database, each change record of the one or morefirst change records corresponding to the current value or one of theone or more historical values of the first secured component, andwherein the second nexus is configured instructions when executedfurther cause the one or more processors to store the second value datain one or more second change records in the second database, each changerecord of the one or more second change records corresponding to thecurrent value or one of the one or more historical values of the secondsecured component.
 8. The system of claim 1, wherein the first nexus isconfigured instructions when executed further cause the one or moreprocessors to format the one or more network messages using aneXtensible Markup Language (XML) or a protocol buffer.
 9. The system ofclaim 1, wherein the current access control list of the second accesscontrol data is the same as the current access control list of the firstaccess control data; and wherein the second nexus is configuredinstructions when executed further cause the one or more processors tostore the current access control list of the first access control datain the second database as the current access control list of the secondaccess control data in response to receiving the one or more networkmessages.
 10. The system of claim 1, wherein the current value of thesecond value data is the same as the current value of the first valuedata; and wherein the second nexus is configured instructions whenexecuted further cause the one or more processors to store the currentvalue of the first value data in the second database as the currentvalue of the second value data in response to receiving the one or morenetwork messages.
 11. A method performed by a multimaster system ofasynchronous replication among databases, comprising: a first nexus thatoperates on a first database performing the steps of:storing first valuedata in the a first database, the first value data comprising a currentvalue and one or more historical values of a first secured component ofa data object, the first secured component associated in the firstdatabase with a first secured component identifier, the data objectassociated in the first database with a data object identifier; storingfirst access control list data in the first database, the first accesscontrol list data comprising a current access control list and one ormore historical access control lists governing, with respect to thefirst database, access to the current value and the one or morehistorical values of the first secured component; and sending one ormore network messages to the second nexus, the one or more networkmessages comprising an identifier of the data object, the first valuedata, and the first access control list data; a second nexus thatoperates on a second database performing the steps of:storing secondvalue data in the a second database, the second value data comprising acurrent value and one or more historical values of a second securedcomponent of the data object, the second secured component associated inthe second database with a second secured component identifier that isdifferent than the first secured component identifier, the data objectassociated in the second database with the data object identifier, achange made to the first database to be propagated to the seconddatabase; storing second access control list data in the seconddatabase, the second access control list data comprising a currentaccess control list and one or more historical access control listsgoverning, with respect to the second database, access to the currentvalue and the one or more historical values of the second securedcomponent; receiving the one or more network messages related to achange in the first access control list data; comparing the first valuedata to the second value data; comparing the first access control listdata to the second access control list data; and responsive todetermining that the first value data matches the second value data andthe first access control list data matches the second access controllist data, identifying the second secured component as being associatedwith the first secured component and replacing, in the second database,each of the current access control list and the one or more historicalaccess control lists in the second access control list data with thecurrent access control list from the first access control list data. 12.The method of claim 11, wherein change records for the first securedcomponent are identified in the first database using a first identifier,wherein change records for the second secured component are identifiedin the second database using a second identifier, wherein the firstidentifier cannot be used to identify, in the second database, changerecords for the second secured component, and wherein the secondidentifier cannot be used to identify, in the first database, changerecords for the first secured component.
 13. The method of claim 11,further comprising: the first nexus performing the steps of:storingfirst component type data in the first database, the first componenttype data comprising a current component type and one or more historicalcomponent types of the first secured component; sending one or morenetwork messages to the second nexus, the one or more network messagescomprising an identifier of the data object, the first value data, thefirst access control list data, and the first component type data; thesecond nexus performing the steps of:storing second component type datain the second database, the second component type data comprising acurrent component type and one or more historical component types of thesecond secured component; comparing the first component type data withthe second component type data; responsive to determining that the firstvalue data matches the second value data, the first access control listdata matches the second access control list data, and the firstcomponent type data matches the second component type data, replacing,in the second access control list data in the second database, each ofthe current access control list and the one or more historical accesscontrol lists in the second access control list data with the currentaccess control list from the first access control list data.
 14. Themethod of claim 11, wherein the first secured component and the secondsecured component are both properties of the data object, the firstsecured component and the second secured component having the sameproperty name.
 15. The method of claim 11, wherein each access controllist in the first access control list data comprises one or more accesscontrol items, each access control item comprising a user or a group ofusers and one or more permissions of the user or the group of users withrespect to the first secured component, and wherein each access controllist in the second access control list data comprises one or more accesscontrol items, each access control item comprising a user or a group ofusers and one or more permissions of the user or the group of users withrespect to the second secured component.
 16. The method of claim 11,wherein the first secured component is a property, a note, or media, andwherein the second secured component is a property, a note, or media.17. The method of claim 11, wherein the first nexus is configured tostore the first value data is stored in one or more first change recordsin the first database, each change record of the one or more firstchange records corresponding to the current value or one of the one ormore historical values of the first secured component, and wherein thesecond nexus is configured to store the second value data is stored inone or more second change records in the second database, each changerecord of the one or more second change records corresponding to thecurrent value or one of the one or more historical values of the secondsecured component.
 18. The method of claim 11, wherein the first nexusis configured to format the one or more network messages are formattedusing an eXtensible Markup Language (XML) or a protocol buffer.
 19. Themethod of claim 11, wherein the current access control list of thesecond access control data is the same as the current access controllist of the first access control data; and wherein the second nexus isconfigured to store the current access control list of the first accesscontrol data is stored in the second database as the current accesscontrol list of the second access control data in response to receivingthe one or more network messages.
 20. The method of claim 11, whereinthe current value of the second value data is the same as the currentvalue of the first value data; and wherein the second nexus isconfigured to store the current value of the first value data is storedin the second database as the current value of the second value data inresponse to receiving the one or more network messages.